CVE-2026-46401
MEDIUMhaxtheweb issues - HAX CMS PHP Has Insufficient Session Expiration
Title source: ruleDescription
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Versions prior to 26.0.0 suffer from an improper session termination vulnerability where authentication tokens remain valid after user logout. This allows attackers who obtain valid tokens to maintain persistent access to authenticated CMS functionality, bypassing the intended session termination mechanism and enabling unauthorized access to CMS metadata and administrative functions. Version 26.0.0 fixes the issue.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/haxtheweb/issues/security/advisories/GHSA-g5rc-4gpf-wx3w
Scores
CVSS v4
5.3
EPSS
0.0031
EPSS Percentile
22.6%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-613
Status
published
Products (1)
haxtheweb/issues
< 26.0.0
Published
Jun 05, 2026
Tracked Since
Jun 06, 2026